Record OpenBao authenticated verifier proof

2026-06-01 22:52:42 +02:00
parent 5e4040d43d
commit c0c6ead5dd
1 changed files with 10 additions and 0 deletions
--- a/workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md
+++ b/workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md
@@ -276,6 +276,16 @@ through the local shell at all. Durable audit shipping beyond the audit PVC
 remains intentionally open until a tested sink is selected; State Hub notes and
 hashes are evidence, not retained audit custody.

+**2026-06-01:** Ran the authenticated verifier against the live pod token
+helper immediately after a fresh `bao login -no-print -method=oidc
+-path=keycape role=platform-admin` browser/MFA flow. The verifier passed:
+OpenBao is unsealed on `2.5.4`, `bao audit list` shows `file/`,
+`bao secrets list` shows `platform/`, `bao auth list` shows `kubernetes/` and
+`keycape/`, and `/openbao/audit/openbao-audit.log` grew from 7969 bytes to
+23330 bytes during the check. No token value was printed or copied into the
+workplan. The cached verifier token was then revoked with
+`bao token revoke -self`.
+
 ### T07 - Cross-Repo Transition Tasks

 ```task